| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250610172226.1470741-28-stephen.smalley.work@gmail.com>
Date: Tue, 10 Jun 2025 13:21:58 -0400
From: Stephen Smalley <stephen.smalley.work@...il.com>
To: selinux@...r.kernel.org
Cc: paul@...l-moore.com,
omosnace@...hat.com,
netdev@...r.kernel.org,
Stephen Smalley <stephen.smalley.work@...il.com>
Subject: [PATCH v4 27/42] selinux: introduce task_obj_perm()
Introduce task_obj_perm() for namespace-aware permission checking
between two tasks using the objective SID for both tasks and
without assuming that either task is current.
Convert the permission checks of this form in the hook functions
to use this new helper.
Signed-off-by: Stephen Smalley <stephen.smalley.work@...il.com>
---
security/selinux/avc.c | 56 ++++++++++++++++++++++++++++++++++
security/selinux/hooks.c | 5 ++-
security/selinux/include/avc.h | 3 ++
3 files changed, 61 insertions(+), 3 deletions(-)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 9385dcd84eee..07cd1b037ed1 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -1291,6 +1291,62 @@ int cred_task_has_perm(const struct cred *cred, const struct task_struct *p,
return 0;
}
+static const struct task_security_struct *task_security(
+ const struct task_struct *p)
+{
+ const struct task_security_struct *tsec;
+
+ tsec = selinux_cred(__task_cred(p));
+ while (tsec->state != current_selinux_state && tsec->parent_cred)
+ tsec = selinux_cred(tsec->parent_cred);
+ if (tsec->state != current_selinux_state)
+ return NULL;
+ return tsec;
+}
+
+int task_obj_has_perm(const struct task_struct *s,
+ const struct task_struct *t,
+ u16 tclass, u32 requested,
+ struct common_audit_data *ad)
+{
+ const struct cred *cred;
+ const struct task_security_struct *tsec;
+ struct selinux_state *state;
+ u32 ssid;
+ u32 tsid;
+ int rc;
+
+ state = current_selinux_state;
+ rcu_read_lock();
+ tsec = task_security(s);
+ if (tsec)
+ ssid = tsec->sid;
+ else
+ ssid = SECINITSID_UNLABELED;
+ rcu_read_unlock();
+
+ do {
+ tsid = task_sid_obj_for_state(t, state);
+
+ rc = avc_has_perm(state, ssid, tsid, tclass, requested, ad);
+ if (rc)
+ return rc;
+
+ cred = tsec->parent_cred;
+ if (!cred)
+ break;
+
+ rcu_read_lock();
+ tsec = selinux_cred(cred);
+ ssid = tsec->sid;
+ state = tsec->state;
+ rcu_read_unlock();
+ } while (cred);
+
+ return 0;
+}
+
+
int cred_has_extended_perms(const struct cred *cred, u32 tsid, u16 tclass,
u32 requested, u8 driver, u8 base_perm, u8 xperm,
struct common_audit_data *ad)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4c2f7491803b..44730629c772 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2126,9 +2126,8 @@ static int selinux_ptrace_access_check(struct task_struct *child,
static int selinux_ptrace_traceme(struct task_struct *parent)
{
- return avc_has_perm(current_selinux_state,
- task_sid_obj(parent), task_sid_obj(current),
- SECCLASS_PROCESS, PROCESS__PTRACE, NULL);
+ return task_obj_has_perm(parent, current, SECCLASS_PROCESS,
+ PROCESS__PTRACE, NULL);
}
static int selinux_capget(const struct task_struct *target, kernel_cap_t *effective,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 1631f6cdbefd..2c2268249b44 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -173,6 +173,9 @@ int cred_other_has_perm(const struct cred *cred, const struct cred *other,
u16 tclass, u32 requested,
struct common_audit_data *ad);
+int task_obj_has_perm(const struct task_struct *s, const struct task_struct *t,
+ u16 tclass, u32 requested, struct common_audit_data *ad);
+
u32 avc_policy_seqno(struct selinux_state *state);
#define AVC_CALLBACK_GRANT 1
--
2.49.0
Powered by blists - more mailing lists